MeshCore

A crafted MeshCore node name could compromise any Home Assistant instance running meshcore-card as soon as someone viewed a dashboard with that card.

The same XSS (cross-site scripting) pattern appears to be present in MeshCore-Home-Assistant-Panel-v2 and its HACS variant

To be abundantly clear, and the post goes into detail why, this is not a bug in MeshCore but rather in how web dashboards are not properly sanitizing untrusted input. In this case, the untrusted input is via a field that any malicious MeshCore node could send.

Well worth a read and a follow on their Mastodon.

cross-posted from: https://lemmy.world/post/47111253

I recently bought a Lilygo T-Deck Plus and had assumed it would include an antenna, since i ordered it with an external antenna. Today it arrived and apparently doesn't come with any external antenna, just a hole in the top with a rubber bung where one would go.

I had heard the antenna it comes with isn't very good, so i bought a Stubby from ZBM2 Industries. What i need to know is what connector piece i need to go between the antenna and the circuit board. The little brass-colored thing that the antenna screws onto. What's that part called and is there anything i should watch out for when finding one?

A reasonable overview of the MeshCore architecture and tunable parameters.

Probably the only part I don't agree with is the idea that the companion/repeater dichotomy is an inherent part of the MeshCore architecture. I don't believe it is, although it's certainly part of the practical implementation. That is to say, if someone wants to use MeshCore purely as a private point-to-point link, then they can jettison the motions of companions and repeaters entirely. As a person to person mesh network, though, companions and repeaters are essential. The distinction I'm trying to draw is that MeshCore can be a lot more than text messages sent amongst friends.

While reading, the explainer for the three-tier t delay seemed especially analogous to me to how circuit breakers are arranged: a nearby power strip might have a fast-tripping 15 amp thermomagnetic breaker, the upstream main panel might be using a 20 amp curve B (moderate trip rate) thermomagneric breaker, and the utility might be using a magnetic 400 amp breaker. By their nature, thermomagneric breakers will handle localized faults that are 3-5x the rating, while the utility's magnetic breaker will trip precisely at 400.1 amps, to protect line-side equipment. Whereas if the utility breaker tripped first, it would unnecessarily black out a whole neighborhood.

Also observe that MeshCore's "flood-then-direct" behavior is identical to that of Ethernet (ie unknown unicast, then unicast), except that Ethernet frames do not get appended with the network path as they progress, which is akin to the postal service where letters arrive at their destination but with no indication of the routing. Accordingly, the MeshCore sender necessarily reserves space to store the mesh route, choosing a tradeoff between node-count (up to 64) or granularity (up to 3 bytes per repeater). This seems complex, but just like with the tax code, complexity is necessary to handle every reasonable scenario.

I will also reiterate the ongoing bug in MeshCore's encryption, which is the use of AES-ECB in the year 2026. Although it's AES-256, ECB has been a known encryption vulnerability for decades and should not have been used in the MeshCore spec. Meshtastic appears to have avoided this particular foible.

Note: the author's blog mentions in the About page that some AI is used to assist in his writing.

I spent over 100k sats on 2 pieces of landfill trash, because of retailers and other websites and random people lying about LoRa mesh protocols being "open source."

The goal was already to spread the word about lies these retailers and other related sites spread, e.g. gaslighting users about end-to-end encryption, but there's no point using the network to spread the word about the lie of being open source. It's a fool's errand, the corporations already scammed my money out of me and they'll just use me to make even more money while I try to tell people to stop wasting the money.

So now I have a SenseCap and a Wio Tracker L1 Pro shipping to me for nothing except to scrap for parts like the batteries, and throw the malware transceiver/computer parts in the garbage so nobody can use them to spread this piece of shit malware cult.

Have fun downvoting/removing/banning me, to the majority here moronic enough to side with the scammers even after reading the truth.

What can be done

The most glaring problem with MeshCore is that the maintainers do not openly communicate vulnerabilities. Users are left without knowledge of any problems, unable to judge whether to trust MeshCore with their private communication.

Here is the thing about open source, Andy: it isn't yours to fence. You don't get to ride a community's goodwill into a USPTO filing and a paywall. You don't get to turn "we built this together" into "I own this, pay me." That isn't a pivot. That's a rug pull dressed up as a business model.

And here is the thing about the "license check" you shipped: it is a 32-bit djb2 hash of the device's Android ID, XORed with the four ASCII bytes MCPP, hex-encoded. That's it. Thirty-two bits. Less entropy than a decent ZIP password. A first-year CS student could break it. You used Claude to generate the code. We used Claude to read the code. It took 19 minutes. The receipts are one click away.

Migrating to the new meshcore.io site

cross-posted from: https://lemmy.world/post/45567835

Created my first meshcore solar powered repeater. Using the lilygo t-beam supreme and a overkill solar panel. All mounted on a din rail in a waterproof electrical cabinet.

It also included some more monitoring, using a esp32c6 running esphome with zigbee and deep sleep. Because i want to keep track of the solar performance.

It was a lot of work to get running, from soldering, 3d printing but also some little firmware changes. I even tough i burned out the lora module by running it without the antenna sometimes. I couldn't test it because i only had 2 other t-beams that where 443Mhz. Today, after buying a hot air station and some soldering i now have 2 board that work with 869Mhz (swapped the sx1278 with a sx1262). Now i am just waiting on the last 869Mhz module so i can modify my last board.

A little cursed i think but the new module didn't have the same footprint so this also works.

firmware

I like how easy the firmware is to edit, when you have some arduino experience. I added support for the 443Mhz t-beam, made it possible to connect via the app and via the home assistant integration at the same time and created a custom sensor that controls 2 relays, so i can control them remotely. But for some reason the screen just wont work, i tried using the example arduino sketch, different versions and all, none work. I do know the screen is functional because with the test firmware from lilygo it does work.

range

I haven't really tested it with the new antenna, but when i let it run for some time using the stock one, i got contacts from over 125km away, which did really surprise me. I hope with this new antenna that i can also send messages not only receive them.

Some more pictures

Mapme.sh is a community-built coverage map for MeshCore. You connect your device to your phone over Bluetooth through a browser app, and the site logs your GPS position with signal strength data as you move. It aggregates everything into color-coded hex cells on a map, from green for strong signal down to blue for barely there. You earn points for mapping new hexes, and a leaderboard tracks top contributors. Privacy controls let you choose between real-time visibility, a 3-hour delay, or full ghost mode with a 24-hour delay. The site comes from the HanseMesh community in Germany, so it's bilingual in German and English.

I've actually been using meshtastic since January of last year, and I've known of meshcore pretty much since its release. However, until now, I have refused to use it because there was no open source application for smartphones to use with it. And I do not touch software that is not open source if I can at all help it. A couple of weeks ago, I learned about a new meshcore app called Meshcore-open that is currently in alpha. Last night I decided to give it a try, and so far I do like what I see. Unfortunately, the population of my city is only like 45,000, and there are only a couple of meshtastic nodes even in the area, and so I'm all alone here. I unfortunately am unable to put up my own repeater because my yard is absolutely full of trees and a solar node just will not stay charged.

tbh I'm not a big fan of proprietary firmware, but I thought someone might find this interesting.

I recently checked out Meshcore because I live in the outskirts of Ottawa, and the city has completely switched to it from Meshtastic. I was impressed with how big the mesh is, and how well I was able to communicate with someone clear across to the other side! I was on a beach, connecting direct to a repeater 30km away, and they were recieving me another 20 km from there. Very cool.

Anyway, I learned about meshmapper.net from an active Ottawa mesh community member, and dev of the site, Mr. Alders0n.

Been having fun wardriving the area and mapping the mesh's reach into the outskirts.

Just made this app, which is a portal to easily access the war driving web app, and the mesh maps, and added a way to pin the city instead of trying to navigate the globe map to select it... yeah I know I can just add shortcuts to my browser for both, but this was more fun :)

cross-posted from: https://gregtech.eu/post/25654151

Basically title. I'm in the EU, so I need a 868Mhz one. I need it to be weather-resistant, because I'm making an outdoors node. Cost and size are not an issue. I plan to mount it relatively high.

I'll most likely install it on a Heltec T114.